As our world becomes increasingly digital, the importance of cybersecurity has never been more critical.
From personal devices to enterprise networks, cyber threats are evolving at an alarming pace, targeting vulnerabilities and exploiting our growing reliance on technology. October marks ‘Cybersecurity Awareness Month’ – a global initiative to promote awareness and education around protecting data and maintaining secure online practices.
With the theme of Cybersecurity Awareness Month being ‘Secure Our World’, we are – in this series of blog posts – looking to provide insight into the cybersecurity regulatory efforts in Europe, the US and Asia.
In this first blog post of the series, we will explore the cybersecurity regulatory efforts in Europe, examining the Digital Operational Resilience Act (DORA), the Network and Information Security Directive (NIS2) and the Cyber Resilience Act (CRA).
1. DORA
The Digital Operational Resilience Act (DORA) is a European Union regulation that will take effect on 17 January 2025. With a goal to ensure the financial sector in Europe remains resilient during severe operational disruptions, DORA aims to enhance information technology security for financial entities, insurance companies and investment firms.
DORA, which centres on the financial sector, not only targets businesses and organizations within the sector (such as credit institutions, investment firms, payment institutions, trading venues and repositories, insurance intermediaries and credit rating agencies), but also includes third-party information and communications technology (ICT) service providers that offer services to these financial entities.
Although there is much to discuss when it comes to the complexities of DORA, this post will focus solely on its primary objectives.
ICT risk management
DORA lays out a set of key principles and requirements on ICT risk management which revolve around specific functions in ICT risk management – including identification, protection and prevention, detection, response and recovery, learning and evolving, and communication.
In looking to comply with their obligations, financial entities are required to:
- Set up and maintain resilient ICT systems and tools that minimize the impact of ICT risk.
- Identify, on a continuous basis, all sources of ICT risk.
- Set up protection and prevention measures and promptly detect anomalous activities.
- Put in place dedicated and comprehensive business continuity policies and disaster and recovery plans as an integral part of the operational business continuity policy.
Reporting of ICT-related incidents
DORA sets out a general requirement for financial entities to establish and implement a management process to monitor and log ICT-related incidents.
An ICT-related incident which is deemed to be ‘major’ must be reported to the competent authorities, using a common template and following a harmonised procedure. In reporting, financial entities should submit initial, intermediate and final reports, and inform their users and clients if the incident has, or may have, an impact on their financial interests.
Operational resilience testing
An organization’s ICT risk management framework needs to be reviewed at least annually to ensure preparedness and identify weaknesses, deficiencies or gaps. Any corrective measures should be promptly implemented.
DORA allows for a proportionate application of digital operational resilience testing requirements, taking into consideration the size, business and risk profiles of financial entities. Financial institutions which are deemed to be significant or cyber-mature also will be required to carry out advanced threat-led penetration testing every three years, in addition to their annual testing.
Information-sharing
Financial entities are allowed to set up arrangements to share cyber threat information amongst themselves in order to raise awareness of ICT risk, minimise its spread, and support the defensive capabilities and threat detection techniques of financial entities.
Management of third-party risk
The managing of ICT third-party risk is an integral component of the ICT risk management framework. As part of their risk management framework, financial entities must adopt and regularly review a strategy on ICT third-party risk, which should include a policy on ICT services provided by ICT third-party service providers.
Please see our other blog posts on DORA for a more comprehensive read of the obligations pursuant to it.
2. NIS2
The Network and Information Systems Directive (NIS2) entered into force on 17 January 2023 to enhance cybersecurity across the EU. It is important to note that NIS2 is a directive, which must be transposed into national law by each Member State by 17 October 2024. Essentially, a directive establishes an objective that each EU country must meet, but it allows the individual Member States the flexibility to create their own laws on how to reach these goals.
Broad scope of organizations
Organizations will be in scope of NIS2 if they provide services or carry out their activities in the EU, meet or exceed the definition of a ‘medium-sized enterprise’ (or are otherwise in scope of NIS2, regardless of their size), and operate in a broad range of sectors – including energy, transport, banking, health, space, financial infrastructure, digital infrastructure, digital providers, chemicals and manufacturing.
Risk management
The risk management principles in NIS2 require essential and important service providers to adopt a proactive approach to cybersecurity by implementing measures to manage and mitigate risks to their network and information systems. This includes identifying potential threats, assessing vulnerabilities, and taking appropriate steps to prevent, detect and respond to cyber incidents. While organizations must conduct regular risk assessments and implement appropriate security measures, it is noted that the specific requirements can vary depending on the sector and the size of the organization.
Cooperation and information-sharing
One of the objectives of NIS2 is to improve information-sharing, setting out that Member States shall ensure NIS2 entities – and, where relevant, entities not falling within the scope of NIS2 –are able to exchange amongst themselves relevant cybersecurity information on a voluntary basis in certain circumstances. This can include information relating to cyber threats, near misses, vulnerabilities, techniques and procedures, indicators of compromise, adversarial tactics, threat-actor specific information, etc.
Information-sharing under NIS2 should occur to prevent, detect, respond to or recover from incidents – or to mitigate their impact. It also should enhance cybersecurity through raising threat awareness, limiting threat spread, and supporting defensive capabilities, vulnerability remediation, threat detection, containment, mitigation strategies, or response and recovery stages. Member States must ensure this takes place within communities of essential and important entities, including their suppliers or service providers.
3. CRA
The Cyber Resilience Act (CRA) was formally approved by the European Parliament in September 2024 and will most likely enter into force in early 2025.
The CRA is the first-ever EU-wide legislation of its kind. It introduces common cybersecurity rules for manufacturers and developers of products with digital elements – covering both hardware and software – and aims to establish common cybersecurity standards for ‘products with digital elements’ placed on the EU market.
The CRA applies to a ‘product with digital elements’, which means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately. Some examples of products with digital elements include:
- End devices (laptops, smartphones, sensors and smart robots)
- Software (operating systems, mobile apps and desktop applications)
- Components (both hardware and software, such as computer processing units and video cards)
A key element of the CRA is the coverage of the whole life cycle of the products and, in particular, the provision of obligations for manufacturers and developers to define a support period that reflects the time the product is expected to be in use, and to provide security updates during that period.
The CRA is expected to have the following impact:
- First, ensuring that products with digital elements placed on the EU market have fewer vulnerabilities, and that manufacturers remain responsible for cybersecurity throughout a product’s life cycle.
- Second, improving transparency on the security of hardware and software products.
To achieve these two goals, the CRA mandates that products with digital elements will only be made available on the market if they meet specific essential cybersecurity requirements. It requires manufacturers to factor cybersecurity into the design and development of products with digital elements.
Challenges and future outlook
Despite the comprehensive regulatory framework, Europe continues to face significant cybersecurity challenges. The rapid pace of digital transformation, the rise of sophisticated cyberattacks and the growing number of connected devices pose ongoing risks. Additionally, ensuring that businesses of all sizes – particularly, small and medium-sized enterprises (SMEs) – can comply with these complex regulations remains a concern.
Looking ahead, the European Commission is focusing on creating a unified digital market underpinned by robust cybersecurity measures. The newly appointed commissioner responsible for tech sovereignty, security and democracy, Henna Virkkunen, has as her mission to combat ‘increasingly complex security threats … including the need for Europe to do more to defend itself, to hybrid and cyber threats, attacks on critical infrastructure, foreign information manipulation and interference’.
[View source.]
